I luvz hacking

challenges sites do you?

Yaniv Miron aka Lament
CyberLord
@lament1337
HackFest 2014 CANADA

/ About me
Yaniv Miron aka Lament
Security Researcher and Consultant
Certified Locksmith & CISO Certified
Found 0-days @ IBM, Oracle, Microsoft,
Apache, Facebook (F-U for not giving
me credit & bounty) and more.

/ Whats going on here?

There are many CTF games and these
hacking challenges are kind of online
Capture The Flag.

I would like to share my experience with

demoing some examples of these online
hacking challenges.
Some of them are Stego, Logic and
Reversing.

Hacking challenges sites?

There are different sites that offer
challenges, some of them actually grade
and rank the users and some just let the
users download challenges and try them
offline.

HackThisSite.Org
One of the largest sites in this area
Different cool challenges in there

Other sites
http://canyouhack.it
http://www.dareyourmind.net
http://crackmes.de
Many more

The Ranks
Different levels gives
different ranks

The Different Challenges

Why the h311 are you giving

solutions?
Unfortunately most of them are
somewhere online.

Unfortunately people just copy the

solutions from others and paste the
answer.
Because its a small % out of the real
challenges and you need to learn
somehow.

Solutions
There are different ways to solve different
tasks, it could be that there are easier
ways than what Im showing here but this
is the path that I took.
Im trying to show how to think rather than
just show the quick way to get a solution.
Sometimes it makes the solution more
complicated.

DEMO Time !

Stego5.bmp #1
Hack The Planet
stego5.bmp

Stego5.bmp #2
First thing first, is it really a BMP file?

Stego5.bmp #3
Looks like it:

Stego5.bmp #4
So whats next? I think I saw something
similar in the past Maybe as a user
avatar? Lets save it
avatar.jpg

Stego5.bmp #5
We have a problem You cant really
compare BMP (The original) and JPG (the
Avatar)
Or can we?

Stego5.bmp #6
Lets just turn the JPG to BMP

Stego5.bmp #7

Now lets try to compare them with some

hex

Stego5.bmp #8

Stego5.bmp #9
LSB?

Its widely used in Stego

Stego5.bmp #10
We will take the stego5.bmp hex, turn it
into binary.

Stego5.bmp #11
Lets write a python script cuz were kewl

Stego5.bmp #12
And back to ascii

Looks interesting
maybe its
syn-ack-?

Logic.Binary #1
Q1:
Binary:
2011010013001000003011101113011010
013011011102

Logic.Binary #2
Binary are 1s and 0s isnt it?
Clean the 2s and the 3s
Binary:
0110100100100000011101110110100101
101110

Logic.Binary #3
Put it nicely
Binary: 01101001 00100000 01110111
01101001 01101110

Logic.Binary #4
Binary -> ASCII
Answer is: i win

Logic.Riddle #1
Q2:
I call, but I never talk. I knock, but I never
enter. I feel a bit insecure.

Logic.Riddle #2
Port scanner knocks but never enter,
calling the ports but never talks with them.

Insecure?
A2: nmap

Logic.URL #1
Q3:
Sometimes when you are coding a web
based program you make a mistake with
URL's. Correct this link.
The link we get is:
http://yahoo.com/search?q=hobble%20stic
ks

Logic.URL #2
A3:
It looks like a Google link, as this is the
format Google is using. Lets change it to:
http://google.com/search?q=hobble%20sti
cks

Logic.URL #3

Logic.Num #1
Q4:

Logic.Num #2

1 of 2 = 12
1 of 1 and 1 of 2 = 1112
3 of 1 and 1 of 2 = 3112
1 of 3, 2 of 1 and 1 of 2 = 132112
1 of 1, 1 of 3, 1 of 2, 2 of 1 and 1 of 2 =
1113122112
3 of 1, 1 of 3, 1 of 1, 2 of 2, 2 of 1 and 1 of
2 = 311311222112
A4: 311311222112

Reversing.app7 #1
We get a file called app7win.zip with 2
files inside:
app7win.exe
encrypted.enc

Lets try to run it

Reversing.app7 #2
So it seems that we need to find a
password here
Lets try to remove the encrypted.enc file
from the folder, maybe it will help:

Reversing.app7 #3
Lets see whats inside this encrypted.enc
file
Doesnt look promising(at least at the
moment)

Reversing.app7 #4
Lets see it with OllyDbg

Reversing.app7 #5
jnz->jz?

YEAH! We got junk

Reversing.app7 #6
Oh wellIt didnt worked
Off we go to IDA Pro

Reversing.app7 #7
So we need to get 0DCAh

Reversing.app7 #8
Oh no its not gonna be that easy dude

Reversing.app7 #9
This is the
interesting part
which handles
our buffer and
the .enc file

Reversing.app7 #10
The general thing that is happening in this
block is that it runs 5 times and every time
reads a character from the .enc file.
The characters that were read (in hex) are
"31,4D,39,35,33" or in ascii "1M953". This
is not the password but it will help us get
the password (this is the key from the .enc
file)

Reversing.app7 #11

Reversing.app7 #12
Next, the app takes the user input +
[ENTER=A]

So if our input is A it will be 41+A=4B, if its

AA it will be 41+41+A=8C
Then place it in var_1C and xor it with
each of the 5 chars.

Reversing.app7 #13

Reversing.app7 #14
Adds all of them and place the result in
var_18 which needs to be cmp with
"0DCAh" (3530).
So
31xor8C+4Dxor8C+39xor8C+35xor8C+33
xor8C
=3AB
Is it true??? Nop

Reversing.app7 #15

Reversing.app7 #16
So to solve this problem we need to have:
31xorX+4DxorX+39xorX+35xorX+33xorX=
0DCA
So what is X ???

Reversing.app7 #17
To solve it we can just brute force it. So
we will try first "A" as input, then "AA" then
"AAA" until we will get the right result.
At the end the result was that as long as
our input equal 753 (2F1) it would solve
the problem. Therefore it doesn't really
matter what is the input as long as it's 753
together.

Reversing.app7 #18
I have used: ccccccc2
We need to remember that at the end of
our input there is "enter" which is 10 so our
total should be actually 743.
c(99)+ c(99)+ c(99)+ c(99)+ c(99)+ c(99)+
c(99)+ 2(50)+ENTER(10)=753.
So:
31xor2F1+4Dxor2F1+39xor2F1+35xor2F1
+33xor2F1=0DCA

Reversing.app7 #19

Reversing.app7 #20
Game over!

Reversing.app13 #1
Lets
run it

Reversing.app13 #2

Reversing.app13 #3
So lets skip IDA & Olly and check the
hints

Reversing.app13 #4
We can monitor the time that takes the
app to check every number that we enter
Python script that gets 1-999 and monitor
how much time takes the app to check it
Slowest number is the right one (?)

Close even explorer.exe because it takes

CPU power and could change our results

Reversing.app13 #5
So lets do a quick & dirty BF to this app

Reversing.app13 #6
And run it

Reversing.app13 #7

Reversing.app13 #8
Lets just to it 3 more times, every time
adding the last value instead of the
dummy one that we had

Reversing.app13 #9
Our monitoring worked!

Forensics.1 #1
We get this:

And a file: image.tar.gz

Forensics.1 #2

Forensics.1 #3
So we need to find a password
First thing first, extract the file. We get a
dd file - image.dd
Lets check whats in there real quick

Forensics.1 #4
Looks like we got an NTFS windows
system

Forensics.1 #5

Forensics.1 #6
So its mounted

Forensics.1 #7
3 empty folders

Forensics.1 #8
Well its a forensics challenge So
probably we need to recover some deleted
data.
Lets try to see what kind of deleted files
are there.

Forensics.1 #9

Forensics.1 #10

Weve got 17 files, different types.

Forensics.1 #11
Oh boywell lets check the other files
Weve got a media file: Voicemail 1.wav
When played we can hear the Tech
Support guy telling stacy that the
password is her phone number. And what
is her phone number?

Forensics.1 #12
Lets dig some more, we can see that
there is a file called Termination - Allen
Smith.docx

Forensics.1 #13
Using the phone number 5195554783 we
can extract the content of Your new
password is.rar
Inside there is a file called Your new
password is.docx
Inside we got our password

Forensics.1 #14
Weve saved the world again!

To Wrap It Up
Hacking challenges sites are KEWL
It helps you practice your skills & prepare
for CTF games
You have a community to support you
while trying

# E [0] F #
Q? (meet @ the lounge now or)
>>
lament [AT] ilhack [DOT] org
http://www.ilhack.org/lament
Join me @lament1337

In god we trust, all others we monitor.